Automatic human check at the WP backend - logged in as admin
What is the issue you’re encountering
Human Check blocks save buttons at backend
What steps have you taken to resolve the issue?
I checked the WP Plugin Turnstile - “no checks for admin” is activated
I testet some WAF rules
no check for my IP, - no check for URI /wp-admin
nothing works
Was the site working with SSL prior to adding it to Cloudflare?
Yes
What is the current SSL/TLS setting?
Full (strict)
What are the steps to reproduce the issue?
not possible, because its inside the backend
When I work inside the WP backed as admin inside a article, the save button, preview button (all buttons) are not longer highlighted and so not usable.
I must open an other article, use “update”, the CF-Human-Check appears and is automatically confirmed as correct and the page is updated. With this way the buttons in the first article are now usable - for some minutes.
Any ideas or solutions?
Hey there,
I’ve run into something similar in the past—frustrating when Cloudflare’s security layer interferes with WP backend usability.
Since you’ve already confirmed that “no checks for admin” is on in Turnstile and you’re bypassing your IP and /wp-admin in WAF rules, here are a couple of things to double-check:
Page Rules: Try setting a Cloudflare Page Rule for your admin area with Security Level: Essentially Off (e.g., https://yourdomain.com/wp-admin/*).
Browser Integrity Check: Make sure that’s turned off under Security settings—it can conflict with logged-in sessions.
Rocket Loader: Disable Rocket Loader under Speed > Optimization. It sometimes breaks JS in the WordPress admin area.
Plugin Conflicts: Temporarily disable other security/cache plugins to see if there’s a double-layer conflict (e.g., Wordfence + Cloudflare).
Cookies/Headers: Some human checks rely on cookie headers—check that nothing is stripping/modifying those headers server-side.
If all else fails, consider temporarily disabling Turnstile entirely and confirming if the issue is strictly related to it or a deeper WAF/session problem.
Thank you for your ideas and help.
I tried various things, but nothing worked. So I went back to the beginning of the new human review for cf. Weeks ago, I had to accept the new global security rules in cf: Cloudflare Managed Ruleset and Cloudflare OWASP-Core Ruleset.
I noticed that human review always occurs when I post or publish something. So I created a security rule under Security / Rules and used POST, PUT, and GET to allow publishing without review to /wp-admin/*. Now it works again without the annoying query.